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' Abstract 

' We provide a new provably-secure steganographic encryption protocol that is proven secure in the 

I— I , complexity-theoretic framework of Hopper et al. 

■ The fundamental building block of our steganographic encryption protocol is a "one-time stegosystem" 
' that allows two parties to transmit messages of length shorter than the shared key with information- 

• , theoretic security guarantees. The employment of a pseudorandom generator (PRG) permits secure 

^ ' transmission of longer messages in the same way that such a generator allows the use of one-time pad 

1 1 1 encryption for messages longer than the key in symmetric encryption. The advantage of our construction, 

compared to that of Hopper et al., is that it avoids the use of a pseudorandom function family and instead 

' relies (directly) on a pseudorandom generator in a way that provides linear improvement in the number 

^ , of applications of the underlying one-way permutation per transmitted bit. This advantageous trade-off 

■ is achieved by substituting the pseudorandom function family employed in the previous construction with 
' an appropriate combinatorial construction that has been used extensively in derandomization, namely 
, almost t-wise independent function families. 

^\ • Keywords: Information hiding, steganography, data hiding, steganalysis, covert communication. 
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In a canonical steganographic scenario, Ahce and Bob wish to communicate securely in the presence of an 
adversary, called the "Warden," who monitors whether they exchange "conspicuous" messages. In partic- 
ular, Alice and Bob may exchange messages that adhere to a certain channel distributions that represents 
"inconspicuous" communication. By controlling the messages that are transmitted over such a channel, Alice 
and Bob may exchange messages that cannot be detected by the Warden. There have been two approaches in 
formalizing this problem, one based on information theory [2, 13, 7] and one based on complexity theory [G]. 
The latter approach is more concrete and has the potential of allowing more efficient constructions. Most 
steganographic constructions supported by provable security guarantees arc instantiations of the following 
basic procedure (often referred to as "rejection-sampling"). 

The problem specifies a family of message distributions (the "channel distributions") that provide a 
number of possible options for a so-called "covertext" to be transmitted. Additionally, the sender and the 
receiver possess some sort of private information (typically a keyed hash function, MAC, or other similar 
function) that maps channel messages to a single bit. In order to send a message bit m, the sender draws a 
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covertext from the channel distribution, apphes the function to the covertext and checks whether it happens 
to produce the "stegotext" m he originaUy wished to transmit. If this is the case, the covertext is transmitted. 
In case of failure, this procedure is repeated. While this is a fairly concrete procedure, there are a number 
of choices to be made with both practical and theoretical significance. From the security viewpoint, one is 
primarily interested in the choice of the function that is shared between the sender and the receiver. From a 
practical viewpoint, one is primarily interested in how the channel is implemented and whether it conforms 
to the various constraints that are imposed on it by the steganographic protocol specifications (e.g., are 
independent draws from the channel allowed? does the channel remember previous draws? etc.). 

As mentioned above, the security of a stegosystem can be naturally phrased in information-theoretic 
terms (cf. [2]) or in complexity-theoretic terms [G]. Informally, the latter approach considers the following 
experiment for the warden-adversary: The adversary selects a message to be embedded and receives either 
covertexts that embed the message or covertexts simply drawn from the channel distribution (without any 
embedding). The adversary is then asked to distinguish between the two cases. Clearly, if the probabil- 
ity of success is very close to 1/2 it is natural to claim that the stegosystem provides security against such 
(eavesdropping) adversarial activity. Formulation of stronger attacks (such as active attacks) is also possible. 
Given the above framework. Hopper et al. [G] provided a provably secure stegosystem that pairs rejection 
sampling with a pseudorandom function family. Given that rejection sampling, when implemented properly 
and paired with a truly random function, is indistinguishable from the channel distribution, the security of 
their construction followed from the pseudorandom function family assumption. From the efhciency view- 
point, this construction required about 2 evaluations of the pseudorandom function per bit transmission. 
Constructing efficient pseudorandom functions is possible either generically [5] or, more efficiently, based on 
specific number-theoretic assumptions [9]. Nevertheless, pseudorandom function families are a conceptually 
complex and fairly expensive cryptographic primitive. For example, the evaluation of the Naor-Reingold 
pseudorandom function on an input x requires 0(|x|) modular exponentiations. Similarly, the generic con- 
struction [5] requires 0{k) PRG doublings of the input string where k is the length of the key. 

In this article we take an alternative approach to the design of provably secure stegosystems. Our main 
contribution is the design of a building block that we call a one-time stegosystem: this is a steganographic 
protocol that is meant to be used for a single message transmission and is proven secure in an information- 
theoretic sense, provided that the key that is shared between the sender and the receiver is of sufficient 
length (this length analysis is part of our result). In particular we show that we can securely transmit an n 
bit message with a key of length 0{n + log |E|); here S is the size of the channel alphabet (see Section 3.4 
for more details regarding the exact complexity). Our basic building block is a natural analogue of a one 
time-pad for steganography. It is based on the rejection sampling technique outlined above in combination 
with an explicit almost i-wise independent [1] family of functions. We note that such combinatorial con- 
structions have been extremely useful for derandomization methods and here, to the best of our knowledge, 
are employed for the first time in the design of steganographic protocols. Given a one-time stegosystem, it is 
fairly straightforward to construct provably secure steganographic encryption for longer messages by using 
a pseudorandom generator (PRG) to stretch a random seed that is shared by the sender and the receiver to 
sufficient length. 

The resulting stegosystem is provably secure in the computational sense of Hopper et al. [G] and is in 
fact much more efficient: in particular, while the Hopper, et al. stegosystem requires 2 evaluations per bit of 
a pseudorandom function, amounting to a linear (in the key-size) number of applications of the underlying 
PRG (in the standard construction for pseudorandom functions of [5] ) , in our stegosystem we require per bit 
a constant number of PRG applications. 

2 Definitions and Tools 

We say that a function /i : N ^ R is negligible if for every positive polynomial p( ) there exists an N such 
that for all n > N, u(n) < 

We let E = {(Ti, . . . , CTs} denote an alphabet and treat the channel, which will be used for data transmis- 
sion, as a family of random variables C = {Ch}he^'] each Ch is supported on E. These channel distributions 



2 



model a history-dependent notion of channel data: if hi,h2, ■ ■ ■ ,hi have been sent along the channel thus 
far, Chi,. ...he determines the distribution of the next channel element. 

Definition 1. A one-time stegosystem consists of three probabilistic polynomial time algorithms 

S = {SK, SE, SD) 

where: 

• SK is the key generation algorithm; we write SK {l"',log{l/e sec)) ~ k. It takes as input, the security 
parameter esec and the length of the message n and produces a key k of length k. (We typically assume 
that K = Kin) is a monotonically increasing function of n.) 

• SE is the embedding procedure, which can access the channel; SE {l"',k,m,h) = s G E*. It takes as 
input the length of the message n, the key k, a message m S M„ = {0, 1}" to be embedded, and the 
history h of previously drawn covertexts. The output is the stegotext s G E*. 

• SD is the extraction procedure; SD {V^ , k, c £ E*) ^ m or fail. It takes as input n, k, and some 
c G E*. The output is a message m or the token fail. 

Recall that the min entropy of a random variable X, taking values in a set V, is the quantity 

Hoo{X) ^ min(-logPr[X = v]) . 

We say that a channel 6 has min entropy S if for all /i G E*, HodCh) > ^• 

Definition 2 (Soundness). A stegosystem {SK,SE,SD) is said to be 5)-sound provided that for all 

channels C of minimum entropy S, 

Vm e Mn,Pr[SD{r,k,SE{l'',k,m,,h))y^m \ k ^ S'A'(1", log(l/e,ec))] < s(k). 

One-time stegosystem security is based on the indistinguishability between a transmission that contains 
a steganographically embedded message and a transmission that contains no embedded messages. An ad- 
versary A against a one-time stegosystem S = {SK, SE, SD) is a pair of algorithms A = {SAi, SA2), that 
plays the following game, denoted G''^(l"): 

1. A key k is generated by SK^l" ,log{l/ esec))- 

2. Algorithm SAi receives as input the length of the message n and outputs a triple (m*, s, he) G M„ x 
{0, 1}* * E*, where s is some additional information that will be passed to SA2. SAi is provided access 
to C via an oracle 0{h), which takes the history h as input. 

O(-), on input h, returns to SAi an element c selected according to Ch- 

3. A bit b is chosen uniformly at random. 

• If 6 = let c* ^ k, m*,h), so c* is a stegotext. 

• If 6 = 1 let c* = ci o • • • o cx, where o denotes string concatenation and Ci <^ C';iocio - oci_i- 

4. The input for 5^2 is 1", he, c* and s. SA2 outputs a bit b' . If 6' = 6 then we say that {SAi, SA2) 
succeeded and write G''^(l") = success. 

The advantage of the adversary A over a stegosystem S is defined as: 



Adv^(n) = 



Pr [G(l") = success] - ]- 



The probability includes the coin tosses of A and SE, as well as the coin tosses of G{\'^). The (information- 
theoretic) insecurity of the stegosystem is defined as 

InSecs(n) = mjix{Advg (n)} , 
this maximum taken over all (time unbounded) adversaries A. 
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Definition 3. (Security) We say that a stegosystem is (5)-secure if for all channels with min entropy 

6 we have InSec5(7i) < t{n). 

2.1 Error-correcting Codes 

Our stcganographic construction requires an efficient family of codes that can recover from errors introduced 
by certain binary symmetric channels. In particular, we require an efficient version of the Shannon coding 
theorem [11, 10]. For an element x S {0, 1}", we let Bp{x) be the random variable equal to x © e, where 
e S {0, 1}" is a random error vector defined by independently assigning each = 1 with probability p. (Here 
X (B e denotes the vector with ith coordinate equal to Xi © e^.) 

The classical coding theorem asserts that for every pair of real numbers < R < C < 1 and n e N, there 
is a binary code C {0, 1}", with log \A\/n > R, so that for each a ^ A, maximum-likelihood decoding 
recovers a from Bp{a) with probability 1 — e~^("\ where 

H{p) = plogp-i + (1 - p) log(l - p)-' = 1-C. 

The quantity C (determined by p), is the capacity of the binary symmetric channel induced by Bp] the 
quantity R = log \A\/n is the rate of the code A. In this language, the coding theorem asserts that at rates 
lower than capacity, codes exist that correct random errors with exponentially decaying failure probability. 
We formalize our requirements below: 

Definition 4. An error- correcting code is a pair of functions E ~ (Enc, Dec), where Enc : {0, 1}" — > {0, 1}^ 
is the encoding function and Dec : {0,1}^ — » {0,1}" the corresponding decoding function. Specifically, we 
say that E is a {n,i,p,e)-code if for all m G {0, 1}", 

FT[Dec{Enc{m) © e) = m] > 1 - e 

where e = (ei, . . . , e^) and each Ci is independently distributed in {0, 1} so that Pr[ei = 1] < p. We say that 
E is efficient if both Enc and Dec are computable in polynomial time. 

Proposition 1. Let t — T{n) lie in the interval (0, 1/4), p = 1/2 — r, and R' = 1 — E[{p). Let n > 16 be a 
message length for which (1041og (logn))'^/logn < . Then there is an efficient family of {n,£{n),p,e{n))- 
error-correcting codes En for which 



e{n) <e-^"/^°s" and l{n) < (1 + 57/^t2 \ognfn/R' . 

Proof. This is a consequence of Forney's ['■]] efficient realizations of the Shannon coding theorem [11, 10]; we 
work out the technical details in the full version of the paper. 

□ 

We refer to [12, 4] for detailed discussions of error-correcting codes over binary symmetric channels. 

2.2 Function Families and Almost t-wise Independence 

We will employ the notion of (almost) t-wise independent function families (cf. [1], [8]). 

Definition 5. A family 3^ of Boolean functions on {0, 1}" is said to be e-away from t-wise independent or 
{n, t, e)-independent if for any t distinct domain elements qi, q2, . . . , qt we have 



E 

ae{0,l}' 

where f chosen uniformly from 3^. 



P/[/fc(9i)/fe(92) • ■ ■ fk{qt) = a] - 4 



(1) 
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The above is equivalent to the foUowing formulation quantified over all computationally unbounded 
adversaries A: 

Pr [G-^"" (1") = 1] - Pr [G^'"' = 1] < e , (2) 

where 3? is the collection of all functions from {0, 1}" to {0, 1} and A^^^^ is an unbounded adversary that is 
allowed to determine up to t queries to the function / before he outputs his bit. 

Lemma 2. y^. is e' -away from t-wise independence according to equation (1) if and only if 3^k is e'-away 
from t-wise independence according to equation (2) above. 

We employ the construction of almost ^-wise independent sample spaces given by [8], [1]. 

Theorem 3 ([S], [1]). There exist families of Boolean functions 3^"^ on {0,1}" that are e- away from t-wise 



independent, are indexed by keys of length (2 + o(l))(loglogn + | + logl/e), and are computable in polynomial 



time. 



2.3 Rejection Sampling 

A common method used in steganography employing a channel distribution is that of rejection sampling (cf. 
[2, 6]). Assuming that one wishes to transmit a single bit m and employs a random function / : {0, 1}'^ x E — > 
{0, 1} that is secret from the adversary, one performs the following "rejection sampling" process: 

rej sain^(TO) 



if /(c) ^ m 
then c ^ Ch 
Output : c 

Here, as above, S denotes the output alphabet of the channel, h denotes the history of the channel data at 
the start of the process, and Cu denotes the distribution on E given by the channel after history h. The 
receiver (also privy to the function /) applies the function to the received message c G S and recovers m with 
probability greater than 1/2. The sender and the receiver may employ a joint state denoted by i in the above 
process (e.g., a counter), that need not be secret from the adversary. Note that the above process performs 
only two draws from the channel with the same history (more draws could, in principle, be performed). 
These draws arc assumed to be independent. One basic property of rejection sampling that we use is: 

Lemma 4. // / is drawn uniformly at random from the collection of all functions 3? = {/ : S ^ {0, 1} } 
and 6 has min entropy S, then 

^J^[f{r&3sanl{m)) = m] > - + t , 

where t = i (l - ^). 

Proof. Define the event E to be 

E = [/(ci) = m] V [/(ci) ^ m A /(cs) = m] ; 

thus E is the event that rejection sampling is successful for m. Here Ci,C2 are two independent random 
variables distributed according to the channel distribution Ch and h is determined by the history of channel 
usage. Recalling that S = {cti, . . . , as\ is the support of the channel distribution G/i, let pi ~ Pr[Gh = (T;] 
denote the probability that tTj occurs. As / is chosen uniformly at random, 

Pr[/(ci) = m] = 1/2. 
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Then Pr[£;] = 1/2 + Pr[^], where A is the event that /(ci) ^ m A /(cz) = m. To bound Pr[^], let D denote 
the event that Ci 7^ C2. Observe that conditioned on D, A occurs with probabihty exactly 1/4; on the other 
hand, A cannot occur simultaneously with D. Thus 

Pr[£;] = i + Pi-[A I D] ■ Pr[D] + Pr[A \ D] ■ Pt[D] = ^ + ^ Pr[D] . 
To bound Pt[D], note that 

Pr[_D] = "y^^Pi < max Pi ^^Pi = maxpi 

i i 

and hence that Pr[£'] > 1 — maxip^. Considering that HooiC) > S, we have maxiPi < ^ and the success 
probability is 

,,11, ,11/ 1 \ 1 

^m>-^ + -,{i-P^)>-^ + -,[i-^) = -^+r, 

where T = i (1 - ^). □ 

3 The construction 

In this section we outline our construction of a one-time stegosystem as an interaction between Alice (the 
sender) and Bob (the receiver). Alice and Bob wish to communicate over a channel with distribution C. 
We assume that C has min entropy 6, so that V/i S S*, Hoo{Ch) > 5. As above, let r = i (l — For 
simplicity, we assume that the support of C;, is of size |S| = 2^. 

3.1 A one-time stegosystem 

Fix an alphabet E for the channel and choose a message length n and security parameter ey. Alice and Bob 
agree on the following: 

An error-correcting code. Let E = {Enc, Dec) be an efficient (n. A, ^ — r, eonc)-error-correcting code; 

A pseudorandom function family. Let 9^ be a function family that is (log A+log 2A, egr)-independent. 
We treat elements of 3^ as Boolean functions on {1,...,A} x S and, for such a function / we let 
/i : S — > {0, 1} denote the function /i(o') = /(i, a). 

We will analyze the stegosystem below in terms of arbitrary parameters A, eg^, and egnc, relegating discussion 
of how these parameters determine the overall efficiency of the system to Section 3.4. 

Key generation consists of selecting an element f £ 3^. Alice and Bob then communicate using the 
algorithms SE for embedding and SD for extracting as described in Figure 1. In SE^ after applying the 
error-correcting code E, we use rejsain{'(TOi) to obtain an element q of the channel for each bit nij of the 
message. The resulting stegotext ci . . .cx is denoted Cstego- In SD the received stegotext is parsed block by 
block by evaluating the key function fi at cf, this results in a message bit. After performing this for each 
received block, a message of size A is received, which is subjected to decoding via Dec. Note that we sample 
at most twice from the channel for each bit wc wish to send. The error-correcting code is needed to recover 
from the errors introduced by this process. The detailed security and correctness analysis follow in the next 
two sections. 

3.2 Correctness 

We focus on the mapping between {0, 1}'^ and S"^ determined by the SE procedure of the one-time stegosys- 
tem. In particular, for an initial history h and a key function / : {1, . . . , A} x S ^ {0, 1}, recall that the 
covertext of the message m is given by the procedure P^(m) = P^{m), described in Figure 2; here h is the 
initial history. We remark now that the procedure defining samples / at no more than 2A points and that 
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PROCEDURE SE: 


PROCEDURE SD: 


Input: Key k, hidden text m' , 
history h 

let m = Enc{m') 

parse m as m = mim2 . . . toa 

for z = 1 to A { 

Ci =rejsain{*(TOi) 

set h ^ ho a 

} 

Output : Cstego = Cl C2 . . . CA G 


Input: Key k, stegotext Cstego 

parse Cgtego as c = C1C2 . . . ca 
for i = 1 to A { 

set fhi = fi{ci) 

let ffl = 77117712 ■ • ■ TTlA 

} 

Output : Dec{m) 



Figure 1: Encryption and Decryption algorithms for the one-time stegosystem of 3.1. 



{0,1}^ 



input : h, m = nii . . . irix G {0,1}^ 

for i — I to A 

Ci =rejsaIn/;(r7^i) 

h ^ ho a 
output : c = ci . . . Ca G S"^ 



Figure 2: The procedure P/. 



the family 7 used in SE is eg^-away from 2A-wise independent. For a string c = ci . . . ca G S and a function 
/, let [c) ~ (/i(ci), . . . , fx{c\)) G {0, If / were chosen uniformly among all Boolean functions on 
{1, . . . , A} X E then we could conclude from Lemma 4 above that each bit is independently recovered by this 
process with probability at least \ -\- t. As E is an (tj, A, ^ — t, eenc)-error-correcting code, this would imply 
that 

Pr [i?^(P/(77i)) =771] > l-ee„c . 

This is a restatement of the correctness analysis of Hopper, et al [(i]. Recalling that the procedure defining 
Rf{Pl{-)) involves no more than 2A samples of /, condition (2) following Definition 5 implies that 

^Pr^[i?/(P/(7^)) = 7^] > 1 - eenc - (3) 

so long as ? is (log A + log 2A, egr)-independent. (We remark that as described above, the procedure P/ 
depends on the behavior of channel; note, however, that if there were a sequence of channel distributions 
which violated (3) then there would be a fixed sequence of channel responses, and thus a deterministic 
process P-^, which also violated (3).) To summarize 

Lemma 5. With SE and SD described as above, the probability that a message m is recovered from the 
stegosystem is at least 1 — eenc — 



3.3 Security 

In this section we argue about the security of our one-time stegosystem. First we will observe that the 
output of the rejection sampling hmction rejsam^, with a truly random hmction /, is indistinguishable from 
the channel distribution 6^. (This is a folklore result implicit in previous work.) We then show that if / 
is selected from a family that is eg^-away from 2 A- wise independent, the advantage of an adversary A to 
distinguish between the output of the protocol and C/i is bounded above by ey. Let 3? = {/ : S {0, 1}}. 
First we characterize the probability distribution of the rejection sampling function: 
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Proposition 6. The function rejsam{(m) is a random variable with probability distribution expressed by the 
following function: Let c G S and m £ {0, 1}. Let missf{m) = Prc'<— e,J/(c') ^ m] and pc = Ptc'^EhW — c]- 
Then 

l^Pc ■ missf{m) iff(c) m . 

Proof. Let ci and C2 be the two (independent) samples drawn from during rejection sampling. (For 
simplicity, we treat the process as having drawn two samples even in the case where it succeeds on the first 
draw.) Note, now, that in the case where /(c) =/= m, the value c is the result of the rejection sampling 
process precisely when /(ci) ^ m and C2 = c; as these samples are independent, this occurs with probability 
miss/(m) • Pc- 

In the case where /(c) = to, however, we observe c whenever ci = c or /(ci) ^ to and C2 = c. As these 
events are disjoint, their union occurs with probability p^ ■ (missy(m) + 1), as desired. □ 

Lemma 7. For any h G Y^*,m G {0, 1}, the random variable rejsam^(TO) is perfectly indistinguishable from 
the channel distribution Ch when f is drawn uniformly at random from the space of 51. 

Proof. Let / be a random function, as described in the statement of the lemma. Fixing the elements c, and 
TO, we condition on the event E^, that /(c) 7^ rn. In light of Proposition 6, for any / drawn under this 
conditioning we shall have that Pr[rejsam{(m) = c] is equal to 

Pr [c' = c] ■ missy(m) ^ Pc ■ missy(m) , 

where we have written miss/(TO) = Prc'^e^ [/(c') 7^ to] and pc = Prc'^e^ [c' = c]. Conditioned on E^, then, 
the probability of observing c is 

E/[pc • miss/(TO) I E^] =pc {pc + \{l-pc 
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Letting E= be the event that f{i,c) = m, we similarly compute 

Ef[pc ■ miss/(TO) I E=] =pc(^l + ^{l 
As Pr[i?=] = Pr[£'^] ~ 1/2, we conclude that the probability of observing c is exactly 

as desired. □ 
The following corollary follows immediately from the lemma above. 

Corollary 8. For any ft, G S*,to G {0, 1}'*', the random variable P^ is perfectly indistinguishable from the 
channel distribution when f is drawn uniformly at random from the space of all Boolean functions on 
{1,...,A} X E. 

Having established the behavior of the rejection sampling function when a truly random function is used, 
we proceed to examine the behavior of rejection sampling in our setting where the function is drawn from a 
function family that is ej-away from 2A-wisc independence. In particular wc will show that the insecurity 
of the defined stegosystem is characterized as follows: 

Lemma 9. The insecurity of the stegosystem S of Section 3.1 is bound by eg^, i.e., InSec5(n) < ej, where 
is the bias of the almost 2X-wise independent function family employed; recall that A = £{n) is the stretching 
of the input incurred due to the error- correcting code. 

Proof. Let us play the following game G(l'^) with the adversary A. 
In each round we either select G'f or G^: 
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G^(l ) 




1. 


K < — 


{0, i| 




2. 


(m* 


,s) ^ SA°^''\l^,h), m* e {0,1}" 




3. 




{0,1} 




4. 


c* = 


f Co, ci, . . . CA-i Ci = rejsam{'"'(mi), ft, = /i c 


if 6 = 






} from the channel 


if 6 = 1 


5. 


b* ^ 


-SA2{c*,s) 




6. 


if 6 


= b* then success 





G^(l«) 




1. 




3? 




2. 


(m* 


,s) ^ 5Af^'''(l«,/i), m* G {0,1}" 




3. 




{0,1} 




4. 


c* = 


f Co, ci, . . . ca-1 Ci = rejsam{'*(TOi), /i = /i o c 


if 6 = 






[ from the channel 


if 6 = 1 


5. 


b* ^ 


-SA2ic*,s) 




6. 


if 6 


= b* then success 





Adv5(G(l'')) = Pr[yi 



= 1] - Pr[A 



= Pr [G(r) = 1] - Pr [G(l«) = 1] < 6:, 



and the lemma follows by the definition of insecurity. 



□ 



3.4 Putting it all together 

The objective of this section is to integrate the results of the previous sections of the paper into one unifying 
theorem. As our system is built over two-sample rejection sampling, a process that faithfully transmits each 
bit with probability 1/2 + t, we cannot hope to achieve rate exceeding 

i?' = 1 - i7(l/2 + r) = 1 - iJ(l/4 + 2-74) ■ 

Indeed, as described in the theorem below, the system asymptotically converges to the rate of this underlying 
rejection sampling channel. (We remark that with sufficiently large channel entropy, one can draw more 
samples during rejection sampling without interfering with security; this can control the noise introduced by 
rejection sampling.) 

Theorem 10. For 6 = (log logn)^ / logn) the stegosystem S uses private keys k of length no more than 

(2 + o(l)) [Xin) + logl/e:r + log log log |E|] 
and is both {eenc + e?, S)-sound and (eg^, S)-secure. The length of the stegotext X{n) is 

where eenc < e-*"/^"^" and R' = 1 - H (l/4 + 2-V4)- 

Proof. Let E = {<ti, . . . ,(Js} denote an alphabet and define the channel as a family of random variables 
C = {Ch}he^-'', each Ch supported on S. Also, the channel C has min entropy 5, so that V/i G E*, 
Hoo{Ch) > S. Fix an alphabet E for the channel and choose a message length n > 16 such that 

- log ( 1 - 4a/i04 log {\ognf/logn] < 5 . 
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Under the assumption that the channel C has min entropy 6, the binary symmetric channel induced by the 
rejection sampling process of Lemma 4 has transition probability no more than 1/4(1 + 2"''). We have an 
efficient {n,X,j{l + 2~^),ecnc) error-correcting code as discussed in Section 2.1 that encodes messages of 
length n as codewords of length 

^/ N 57 Y n / 1 V n ^. 

\(n) = 1 + , — < 1 + — bits 

^' \ i/Tn^J R'-\ log(logn); R' 

(2 + o(l)) [\{n) + log 1/ej + log log log 

random bits; these serve as the key for the stcgosystcm. In light of the conclusions of Lemma 9 and Lemma 5, 
this system achieves the (eonc + eg^, (S)-soundness and (ej, (5)-security. □ 

For concrctcness, wc record two corollaries: 

Corollary 11. There exists a function S{n) = o(l) so that the stego system S, using private keys k of length 
no more than 

0(n + log|S]|+logl/e:y) , 
is both (e-4n/iogn _^ S)-sound and {ej-^ 6)-secure. Here, the length of the stegotext is 

71 

A(n) = (1 + 0(1)) - 

where R' = 1 - i7 (l/4(l + 2-'')) . 

Corollary 12. For any constant 6, the stcgosystcm S uses private keys of length 0{n + logE + logey) and 
transmits no more than 0{n) symbols. 



4 A provably secure stegosystem for longer messages 

In this section we show how to apply the "one-time" stcgosystcm of Section 3.1 together with a pseudorandom 
number generator so that longer messages can be transmitted. 

Definition 6. Let Ui denote the uniform distribution over {0, 1}'. A polynomial time deterministic program 
G is a pseudorandom generator (PRG) if the following conditions are satisfied: 

Variable output For all seeds x G {0, 1}* and y G N, \G{x, 1^)| — y and, furthermore, G{x, P) is a prefix 
o/G(x,F+i). 

Pseudorandomness For every polynomial p the set of random variables {G{Ui, is computation- 

ally indistinguishable from the uniform distribution Up(j_) . 

Note that there is a procedure G' that \i z ^ G{x, 1^) it holds that G{x, iv+v') = G'{x, z, ly') (i.e., if one 
maintains z, one can extract the y' bits that follow the first y bits without starting from the beginning). For 
a PRG G, if A is some statistical test, then we define the advantage of A over the PRNG as follows: 



Adv^(0 = 



Pr [A{1) = 1] - Pr [A{1) = 1] 



The insecurity of the PRNG G is then defined 

InSecg^'^(0 = maxA{Adv^(Z)} . 

Note that typically in PRGs there is a procedure G' as well as the process G{x, V) produces some aux- 
iliary data auXj^ of small length so that the rightmost y' bits of G'(a;, 1^+^^ ) may be sampled directly as 
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G'{x,iy ,auXj^). Consider now the following stegosystem S' ~ {SE' , SD') that can be used for arbitrary 
many and long messages and employs a PRG G and the one-time stegosystem {SK, SE, SD) of Section 3.1. 
The two players Alice and Bob, share a key of length / denoted by x. They also maintain a state N that 
holds the number of bits that have been transmitted already as well the auxiliary information aux^r (initially 
empty). The function SE' is given input N, aux^r, x,m € {0, 1}" where m is the message to be transmitted. 
SE' in turn employs the PRG G to extract a number of bits k as follows k = G'{x, 1**, aux^r). The length k 
is selected to match the number of key bits that are required to transmit the message m using the one-time 
stegosystem of section 3.1. Once the key k is produced by the PRG the procedure SE' invokes the one-time 
stegosystem on input fc, m, h. After the transmission is completed the history h, the count N , as well as the 
auxiliary PRG information auxjv are updated accordingly. The function SD' is defined in a straightforward 
way based on SD. 

Theorem 13. The stegosystem S' = {SE' , SD') is provably secure in the model of [ti] (universally stegano- 
graphically secret against chosen hiddentext attacks); in particular 

InSec|?(t, I) < InSec™'^(f + 7(€(0), i{l) + polylog(/)) 

(where t is the time required by the adversary, q is the number of chosen hiddentext queries it makes, I is the 
total number of bits across all queries and j(v) is the time required to simulate the SE' oracle for v bits). 

4.1 Performance Comparison of the Stegosystem S' and the Hopper, Langford, 
von Ahn System 

The system of Hopper, et al. [6] concerns a situation where the min entropy of all C/i is at least 1 bit. 
In this case, we may select an (n. A, 3/8, eonc)-error-correcting code E. Then the system of Hopper, et al. 
correctly decodes a given message with probability at least 1 — Ccnc and makes no more than 2A calls to a 
pseudorandom function family. Were one to use the pseudorandom function family of Goldreich, Goldwasser, 
and Micah [■'3], then this involves production of 6(A • k ■ (log(|I]|) -f log A)) pseudorandom bits, where k is the 
security parameter of the pseudorandom function family. Of course, the security of the system depends on 
the security of the underlying pseudorandom generator. On the other hand, with the same error-correcting 
code, the steganographic system described above utihzes O [log log log jSj -I- A -|- log l/eg^] pseudorandom bits, 
correctly decodes a given message with probability 1 — (eonc + e^), and possesses insecurity no more than 
eg^. In order to compare the two schemes, note that by selecting egr = 2"*^, both the decoding error and the 
security of the two systems differ by at most 2"*"', a negligible function in terms of the security parameter k. 
(Note also that pseudorandom functions utilized in the above scheme have security no better than 2~'^ with 
security parameter k.) In this case, the number of pseudorandom bits used by our system, 

(2 + o(l)) [A(?i) + log l/e:r + log log log |S|] , 

is a dramatic improvement over the 8(Afc log(|E|A)) bits of the scheme above. 
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